Help debugging TLS certificate error in goproxy
447 views
Skip to first unread message
Elazar Leibovich
Jul 30, 2013, 3:37:51 PM7/30/13
to golan...@googlegroups.com
Hi,
I'm having a problem I cannot recreate in goproxy, and I'll be very glad for help with validating it.
goproxy allows you to wiretap an HTTPS connection.
The way it does that is:
1) goproxy have a builtin CA certificate, hard coded into a variable. It's generated with http://golang.org/src/pkg/crypto/tls/generate_cert.go
2) Given a CONNECT foo.com:443 proxy request, it would:
3) Generate a certificate for foo.com and sign it with the builtin CA,
4) Submit this certificate with the certificate chain: [new_cert, CA], using crypto/tls package.
It seems to work on my machine, but a user still complain. https://github.com/elazarl/goproxy/issues/15
I could use two forms of help:
1) Test it on your enviroment and report the results.
2) Generally speaking, I don't really know cryptography in general, or TLS/SSL in particular. If you do, have a look at the code and explain my mistakes.
Most of the logic is here: https://github.com/elazarl/goproxy/blob/master/signer.go
Dave Cheney
Jul 30, 2013, 9:41:39 PM7/30/13
to Elazar Leibovich, golang-nuts
I don't think this will work for the big social networking sites and
search engines. They will have pinned their SSL certs in the browser
by fingerprint so this substitution will not work even if the
generated certificate is properly signed back to a CA that you have
inserted into the users browser.
> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
search engines. They will have pinned their SSL certs in the browser
by fingerprint so this substitution will not work even if the
generated certificate is properly signed back to a CA that you have
inserted into the users browser.
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Elazar Leibovich
Jul 31, 2013, 12:32:13 AM7/31/13
to Dave Cheney, golang-nuts
I don't think this is correct, have a look at this excellent post, by agl: https://www.imperialviolet.org/2011/05/04/pinning.html
What about MITM proxies, Fiddler etc?
There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues.
Reply all
Reply to author
Forward
0 new messages